Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome 25 Will Disable Silent Extension Installation

Posted by timothy on from the now-you-must-shout dept.

An anonymous reader writes "Google on Friday announced that it is changing its stance for silently installing extensions in its browser. As of Chrome 25, external extension deployment options on Windows will be disabled by default and all extensions previously installed using them will be automatically disabled."

121 comments

  1. Yeah! by bfmorgan · · Score: 1, Offtopic

    Thank you

    --
    I hope this caused some synapses to fire.
    1. Re:Yeah! by BitZtream · · Score: 4, Informative

      Whats to get excited about, this just causes problems for legitimate extensions.

      Fact: Dirty/Malware extensions can work around it by just sitting whatever flags need to be set where ever they need to be set to make Chrome think they are approved.

      Fact: Legit extensions installed with other software will now at the minimum need an annoying popup to allow them, or worse, digging through menus to figure out how to term them on instead of 'just working'.

      Fact: Google will exempt itself from this practice.

      As someone who wrote extensions for Firefox until we got tired of supporting its broken every release API, it was trivial to work around this sort of crap with firefox, the same will be true of Chrome.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:Yeah! by dreamchaser · · Score: 5, Insightful

      You're so right. We should also leave all of our doors and windows unlocked because face it, a determined intruder will just find a way in, and we could be blocking legitimate friends and family. We might actually have to get up and answer the door!

    3. Re:Yeah! by symbolset · · Score: 5, Insightful

      Fact: silent browser extension installation is like a browser version of Microsoft's AutoRun. There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.

      --
      Help stamp out iliturcy.
    4. Re:Yeah! by jhoegl · · Score: 3, Insightful

      There is such a thing as user fatigue.
      If you keep harping at the user about every little thing they will just accept without reading and move on.
      So in what way have you empowered the broad user base by adding this?
      Treating the symptoms instead of finding the cause is the problem. Although there is no easy way to solve this particular riddle, the solutions provided do nothing to educate and help the user.

    5. Re:Yeah! by Anonymous Coward · · Score: 1, Funny

      Fact: saying fact before a statement makes it an inarguable universal truth.
      Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

      FWIW I happen to agree. But for $DEITY's sake, just state your case.

    6. Re:Yeah! by Anonymous Coward · · Score: 0

      What about not legit ones? You're missing the boat there. Malware makers can come along and abuse it and probably have, hence why google is taking action (albeit only now).

    7. Re:Yeah! by maxwell+demon · · Score: 1

      The malware extensions only can do anything if they are already running. I'd expect Chrome to check the extensions before starting them.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    8. Re:Yeah! by Anonymous Coward · · Score: 0

      I hope you're not developing extensions for browsers anymore.

    9. Re:Yeah! by Johann+Lau · · Score: 4, Insightful

      SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.

      If you keep harping at the user about every little thing they will just accept without reading and move on.

      And what is lost compared to not even having the choice? That's like initializing user_fatigue with the maximum value.

      So in what way have you empowered the broad user base by adding this?

      As I just said, you give each user the choice how much of an idiot they want to be, instead of forcing ALL users to be idiots.

    10. Re:Yeah! by Albanach · · Score: 5, Interesting

      SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.

      How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.

      If the click through presents a warning and defaults to No, then users are much more likely to opt-out, clicking themselves to safety. Even better if there's a 'don't let this site bother me again' option.

    11. Re:Yeah! by Johann+Lau · · Score: 4, Interesting

      How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions.

      Same here, so don't ask me :P

      I think saying "user fatigue!" is really just the last FUD straw of someone who doesn't like that Google made an innocent good move for a change. There is nothing wrong with this change, which is why the "arguments" against it are so desperate and funny. I can sympathize with that, I'm all for being unfair to Google haha, but this is too much of a stretch.

      Fuck "user fatigue" - unless you mean being tired of users, then more power to you, of course. Look out for the disabled, for those who need help, and of course streamline stuff where it makes sense. But fuck catering to lazyness and mindlessness. If most people are lazy then most people are obsolete. I don't think they are, but that's what I respond to that argument. Ignore them now before they feel even more entitled. Personally, I'd be all for hunting them down (not being lazy and all that), but I am willing to compromise.

    12. Re:Yeah! by Anonymous Coward · · Score: 0

      Sadly, I've heard this exact approach to security in numerous work environments.

    13. Re:Yeah! by cbiltcliffe · · Score: 4, Insightful

      When your "lock" consists of a lever with a little sign saying "push this lever if you're supposed to be here" you might as well leave it unlocked....

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    14. Re:Yeah! by Maow · · Score: 2

      Fact: saying fact before a statement makes it an inarguable universal truth.
      Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

      FWIW I happen to agree. But for $DEITY's sake, just state your case.

      Try reading the GP comment for the reason.

      Hint: he (Symbolset) is responding to that poster's arrogance.

      Hint #2: the GP's comment states 3 "facts" as though stating such that makes them inarguable truths.

      FWIW, I agree that it's bad form, but it was a response-in-kind that you replied to.

      Cheers

    15. Re:Yeah! by girlinatrainingbra · · Score: 2

      Same problem with auto-update on Firefox. At some point, I was running version X of Firefox off of a live-boot-usb-stick, and I hadn't configured Firefox completely, and I forgot to do it for a day. Next afternoon, my version of Firefox had updated to X+2 and then the next day it was updated to Firefox 17 with all of the googley-crap put back into the search box and all of the javascript options I had disabled being re-enabled and all of my addons such as adblock and noscript were disabled because the versions I had installed with saved .xpi files were not compatible with FF17. DAMN IT! If I wanted to fucking upgrade my version of FF I'd have done it myself. And upgrading the whole f*cking browser is fuckloads of worse shit than just sneaking in browser extensions. (Can you tell that I was pissed off? Still am, aren't I? Apologies to those with tender ears)

    16. Re:Yeah! by 1u3hr · · Score: 5, Funny

      Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

      And adding the "Period" suffix after your opinion makes it a universal truth. Period.

    17. Re:Yeah! by Anonymous Coward · · Score: 0

      OK, Dwight. Fact: using "Fact:" more than once per reply flags you as overly excited.

    18. Re:Yeah! by Vegemeister · · Score: 2

      Windows users still install programs by downloading executables from the internet and running them as root. It doesn't matter what we do to our windows and doors when one wall of our house is missing.

    19. Re:Yeah! by VortexCortex · · Score: 4, Insightful

      There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.

      Then explain Chrome's silent updates? By your logic there should be no reason why an application would update itself without operator permission -- Why, if it were small part of a larger system it could even bring the entire intranet down. What I see is friction between notification of updates and desire to have less notification noise. IMO, the best answer when there is a choice to make that involves users' usage is to let them decide:
      An update for Chrome is available.
      ( ) Skip this update.
      ( ) Download the update and ask again later.
      (o) Download and Install Automatically

      [x] Remember this choice and don't ask again.
      ____

      A plugin update is available for: NotScript
      ( ) Skip this update.
      ( ) Download the update and ask again later.
      (o) Download and Install Automatically.

      [_] Remember my choices for future updates.
      [x] Make this the default for all plugins.
      ____

      Status Notification:
      42 Updates are being downloaded and installed. [Options...]

      I thought we solved this shit in the 70's? You know, with our rocket science... The answer is almost never: Less Choice; It's almost always: Sane defaults & Discoverable options.

      See also above comment by: girlinatrainingbra (2738457)

    20. Re:Yeah! by symbolset · · Score: 3, Funny

      Well I guess the only reasonable response to this is: don't eat lead-based paint chips. Your post has nothing to do with my post.

      --
      Help stamp out iliturcy.
    21. Re:Yeah! by Anonymous Coward · · Score: 1

      So install the old version again? Really, not that hard. Of course, the old version most likely doesn't have security fixes, and the extensions you have can easily be updated, but where's the fun in that?

    22. Re:Yeah! by girlinatrainingbra · · Score: 1

      Actually, I could just reboot the live stick, then run my reset script with my archived settings. But this one particular archive had been saved before I remembered to disable the autoupdate features in FF. Read VortexCortex's comment below, which I wholeheartedly agree with. A sane default option is to "opt in" to auto-updates; it is insane and irrational to require "opting out" of auto-updates. That is the batshit insanity which Firefox has been setting up lately, just like MS Internet Explorer had been doing and the same idiotic crap that chrome was pulling allowing automatic updates to extensions without having the user make that selection. So my complaint is NOT about having to spend the time on installing the old version again. My complaint is the same as VortexCortex: wasn't this shit already solved decades ago and isn't the sensible option "opting in" rather than automatically allowing for updates and forcing people to find the third-subtab on the right-most tab of the "preferences" or "options" menu item of Firefox (which has variously appeared on the "Tools menu" or on the "Edit menu" on the FF menu-bar). Got it yet, madamoiselle anonymous coward?
      ;>p

    23. Re:Yeah! by Anonymous Coward · · Score: 0

      You have anger issues.

    24. Re:Yeah! by Tim+Ward · · Score: 1

      Well, you could always follow the NRA's advice and get a gun and shoot everyone who walks through the door. You gotta gun, you don't need locks.

    25. Re:Yeah! by mwvdlee · · Score: 1

      Fact: Google will exempt itself from this practice.

      Fact: TFA doesn't say this. Please back up your personal believes before stating them as if they were facts.

      More importantly; this is all a trust issue. Chrome is Google's browser. Assuming Google trusts itself, I can see why they would exempt themselves.

      I have a lock on my door to keep unwanted people out, but I have given myself a key to get in whenever I want because I trust myself not to steal from myself.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    26. Re:Yeah! by ericloewe · · Score: 1

      It's a matter of principle. Windows doesn't automatically allow something to be run if it's signed by Microsoft, neither does OS X, as far as I've seen.

    27. Re:Yeah! by satuon · · Score: 1

      Yes, but the lever would be on the INSIDE side of the door.

    28. Re:Yeah! by hairyfeet · · Score: 2

      How about simply having a checkbox that says "trust installs by this publisher" and call it a day? why not that? on the one hand i don't want to be clicking my ass off and on the other hand i don't want shit installing silently, so why not a compromise?

      --
      ACs don't waste your time replying, your posts are never seen by me.
    29. Re:Yeah! by Anonymous Coward · · Score: 1

      There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.

      Then explain Chrome's silent updates?

      Chrome specifically asks to install itself (and make subsequent updates). Your argument makes no sense.

    30. Re:Yeah! by hairyfeet · · Score: 1

      Mind some advice? Install Comodo Dragon on the stick instead. Not only does it have all the same extensions Chrome has (since they both use the Chromium base) but there is but a single checkbox in options that says "do not check for updates" and once it is checked it will do just that, never check for updates. it also has the Privalert built in which lets you block tracking crap with a single click and the option of Comodo Secure DNS which will block many sites that have been infected from loading. Oh and no need to hunt down a "portable" version since they ALL have the option of being portable on install, just check the box that says you want it portable and point it at your stick.

      I switched my portable FF for Dragon over a year ago and I'm quite happy with it, doesn't hardly ever touch the stick, has low rights mode which FF still hasn't adding even after 5 years, its just a really nice little browser. Oh and if you DO decide some day you want to update it Comodo almost never changes its UI, in fact since Dragon 5 (currently on V23) the only thing they moved was the dragon's eye from the right side to the left, that's it. so nice for those of us that hate having to play Where's Waldo with all the damned UI changes.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    31. Re:Yeah! by nogginthenog · · Score: 2

      This. Adding 'this' always makes the parent true.

    32. Re:Yeah! by Anonymous Coward · · Score: 0

      Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

      And adding the "Period" suffix after your opinion makes it a universal truth. Period.

      I don't believe you.
      Fact: Your statement was not prefixed with the appropriate "Fact:" flag and is therefore untrustworthy. End of.

    33. Re:Yeah! by nitehawk214 · · Score: 1

      Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

      And adding the "Period" suffix after your opinion makes it a universal truth. Period.

      I don't believe you.
      Fact: Your statement was not prefixed with the appropriate "Fact:" flag and is therefore untrustworthy. End of line.

      Adding end of line at the end of your line makes you sound like you are the MCP. End of line.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    34. Re:Yeah! by nitehawk214 · · Score: 1

      This. Adding 'this' always makes the parent true.

      "Yields falsehood when preceded by its quotation" yields falsehood when preceded by its quotation.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    35. Re:Yeah! by Anonymous Coward · · Score: 0

      Then explain Chrome's silent updates?

      When _you_ installed Chrome manually (!) you agreed also to silent updates. (Either right then or later through the update settings.)

      It's not nearly the same thing as some extension installing itself without you knowing.

    36. Re:Yeah! by S.O.B. · · Score: 1

      Fact: Using Fact and Period makes your point even more universally true. Period.

      --
      Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
    37. Re:Yeah! by Chelloveck · · Score: 1

      Fact: Legit extensions installed with other software will now at the minimum need an annoying popup to allow them, or worse, digging through menus to figure out how to term them on instead of 'just working'.

      "Legit extensions installed with other software"... Like that bullshit Ask Toolbar that got silently installed into Chrome when I loaded some crappy unrelated shareware the other day? Yeah, the world is sure going to lose out when that kind of anti-social behavior is made more difficult.

      I can't think of any legitimate extensions that would be harmed by having Chrome open up with, "Hey, there's a new extension here, do you want to use it?" The only things that are going to suffer are the unwanted advertising / data mining extensions that survive only because people don't bother to uninstall them. Which they shouldn't have to do anyway, because the extension should never have been installed in the first place!

      --
      Chelloveck
      I give up on debugging. From now on, SIGSEGV is a feature.
    38. Re:Yeah! by Anonymous Coward · · Score: 0

      There's no such thing as a silently installed legitimate extension.

    39. Re:Yeah! by wvmarle · · Score: 1

      That's sensible, for the lack of anything resembling a Linux distribution's repository for Windows. I've before been told here on /. that "Google is your repository/app centre" - i.e. search for the software on Google and download it. That's just the way it goes in the Windows world. And to get Firefox, I happen to know to go to getfirefox.com but if I need say a pdf reader (not that bloated pos from Acrobat) then I'd also just go to Google, and select one or two of the top rated results, download it, run it, and hope for the best.

      And Windows users have learned in the past that everything needs to be root to run properly... well that's by know more or less solved, still many users will run as root just because that's what they're used to, and it's convenient of course.

    40. Re:Yeah! by Anonymous Coward · · Score: 0
      Actually you have this completely wrong when you say:

      A sane default option is to "opt in" to auto-updates; it is insane and irrational to require "opting out" of auto-updates.

      That position is completely indefensible. It is how we originally got into the millions of Windows computers being in bot nets - the huge number of joe sixpacks out there that didn't go enable automatic updates on their computers. Notice how that situation, while still not great, is a lot better now that automatic updates are, well, more automatic? The same thing goes for old, insecure, browsers. Folks like you that want to run an old one for some reason? Great, go turn off the default setting. You are in a small minority. Everybody else? Automatic updates. We don't want to have to mess with this stuff; automatic should definitely be the default as we've all learned over the last 15 years or so.

    41. Re:Yeah! by jittles · · Score: 1

      I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.

      This is chrome we are talking about here. They've probably made 3 major releases just since they announced this feature in release 25. I mean how long has Chrome been around? The only software version that has a higher number than Chrome is Windows 98.

    42. Re:Yeah! by Johann+Lau · · Score: 1

      Yeah, why not. I'm all for making it easier to make responsible, conscious decisions, and to automate tasks based on those conscious decisions... it's the "let's make it so easy nobody even has to think" bits I have issues with, or the "let's measure people and give them more about they already have (or: let's put people into bins and then normalize those bins)". It's degrading, it has no good motivations and no good results.

    43. Re:Yeah! by trogdor8667 · · Score: 1

      All my extensions were disabled by the dev channel when that update came through. It gave me a messagebox when it ran the update letting me know it disabled them, and it doesn't give you a way to re-enable them. You do have to dig through the menu to re-enable them. This is after a previous version already made it so to distribute them internally you had to save the crx file, open the extensions page, and drag it on there.

      I understand the point is security, but they're making legit purposes harder to deal with.

    44. Re:Yeah! by hairyfeet · · Score: 1

      Nice to see somebody else is sensible. I mean I trust the ForecastFox guys, so why shouldn't I get a little checkbox that says "trust extensions by this publisher" and let that be that?

      There are plenty of times, especially with older customers, that having any thing pop up at them is gonna freak them right the fuck out, they are gonna think they are getting hacked or they broke something so why not give the option to guys like me that are actually building the system to say "I trust these extensions, always allow these" while leaving the rest off? Seems like such a logical thing to me, give the choice to the USER, not to the browser or the extension writer.

      Of course I've been a champion of user centric design for years, sadly they don't listen to common sense anymore, its all "my way or the highway" crap instead of just giving the user choice. And in the end isn't that what this should be about, giving the user choice and control? I think a little "always trust this publisher" would solve it nicely, nobody has to use it if they don't want to and at the same time guys like me wouldn't be doing a click dance every time my extensions needed updating. sounds like a win/win to me.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    45. Re:Yeah! by Anonymous Coward · · Score: 0

      Considering that Android can disable EVERY. SINGLE. GOOGLE. APPLICATION just like any other application, where are you getting this "fact" that Google's own extensions will be exempt?

      Have you ever heard of key signing? Malware can't as easily just "sit" on flags, because it must know the private key in order to modify the settings. Now, there's ways around it, but can be minimized if done right.

    46. Re:Yeah! by Anonymous Coward · · Score: 0

      So no need for the male and female signs on public toilets?

    47. Re:Yeah! by Anonymous Coward · · Score: 0

      If you don't see the difference between automatically updating an often used and often vulnerable software, and automatically installing new software, you shouldn't be using a computer.

    48. Re:Yeah! by Raistlin77 · · Score: 1

      You must REALLY hate Apple then...

    49. Re:Yeah! by Anonymous Coward · · Score: 0

      Uhhhmmmm...that is not the NRA's position. One cannot legislate the crazy out of anything or anyone...same goes for security.

    50. Re:Yeah! by Anonymous Coward · · Score: 0

      Neither browsers nor browser extensions should ever even remotely be allowed to auto-update.

      Security-hole central. The day is going to come when the signing certs, etc for Mozilla, Google, et al are going to be compromised in such a way that the blackhats will have their poisoned versions automatically installed to millions of machines.

      Just what we need: Some two-bit Russian foisting his "customized" version of Chrome or Firefox upon the clueless masses via automatic updates.

      This day is not as far off as people think, when we have 14-year olds doing shit like this for fun, and what they can do, an adult criminal can copy.

  2. Check out the Chrome 82 Beta by EmagGeek · · Score: 1

    It's pretty awesome.

    1. Re:Check out the Chrome 82 Beta by Anonymous Coward · · Score: 0

      I'll stick with Chrome "69" mouth 2 ass. It has /etc/host support => http://news.slashdot.org/comments.pl?sid=3336385&cid=42378727

      APK

  3. Impossible by KiloByte · · Score: 5, Insightful

    How exactly can they block silent installs if the process that wants to add the extensions has the same rights as Chrome -- or strictly higher? The other program can emulate whatever way Chrome uses to mark something as legitimately installed.

    It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Impossible by BradleyUffner · · Score: 1, Insightful

      Because the solution isn't perfect we should do nothing at all instead.

    2. Re:Impossible by grim4593 · · Score: 1

      Chrome could hash the extensions files upon proper installation and have an encrypted list of all valid extension hashes. That way an elevated process could move the files to the right folder locations but Chrome can choose not to evoke them if they aren't on the list.

    3. Re:Impossible by ohnocitizen · · Score: 4, Insightful

      Stopping "nice" extensions is a step forward. This will make it difficult for 3rd party app developers who wanted to sneak extensions into Chrome to continue business as usual. Microsoft and malware authors will probably find ways to work around it, true. But reigning in bad behavior by people who otherwise play by the rules is still progress.

    4. Re:Impossible by Anonymous Coward · · Score: 3, Interesting

      One way is to keep record of installed plugins by user interaction on google server and recall the list and compare extension lists on startup.

      Another way is to sign the extensions with a special per user key that is kept on google server. If key may also be kept on the user pc but needs a public private key signing system. The signing and reading key needs to be created on user plugin installation with all plugins re-signed with new signing key and then that key is destroyed leaving only the reading key. Trying to write over the reading key would make old plugin unreadable (or a special check file for cases with no plugins) and you can't create a signed plugin without the signing key. This still leave attacks left for listening but it's should be pretty rare for plugin installation, anyways kinda moot if a malware has great access to your pc.

    5. Re:Impossible by larry+bagina · · Score: 3, Insightful

      An elevated process can also update the encrypted list.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    6. Re:Impossible by Anonymous Coward · · Score: 0

      Chrome could hash the extensions files upon proper installation and have an encrypted list of all valid extension hashes. That way an elevated process could move the files to the right folder locations but Chrome can choose not to evoke them if they aren't on the list.

      Where is this encrypted list and its key stored? The other process can, since it has the same privileges, access both and modify the list (even if encrypted) the same way Chrome would.

    7. Re:Impossible by Anonymous Coward · · Score: 0, Flamebait

      An elevated process can also update the encrypted list.

      Not if it's a super double-secret list behind 7 proxies!

    8. Re:Impossible by larry+bagina · · Score: 2

      If Chrome can post a message to Google's server, Evil Plugin Installer can also post a fake message to Google's server. Your second choice sounds like a walled garden, which isn't bad, but it'll be messy to clean up after all those heads are blown...

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    9. Re:Impossible by TheLink · · Score: 4, Insightful

      This is setting a new intended default behaviour - e.g. extensions should ask permission. If you bypass this it makes it harder to argue that your extension isn't malware.

      Most people and the Courts treat things differently depending on whether you broke a lock to enter a place or the door wasn't even latched in the first place.

      --
    10. Re:Impossible by Johann+Lau · · Score: 1

      Why would malware in the system itself bother with a Chrome extension? What does that give you that you don't already have? Honest curiosity.

      can stop only "nice" extensions which would play by the rules in the first place

      Nah. There are plenty of "hey, it's just some ads/game/whatever, we from value add corp LOVE our customers!" extensions. Of course they're not "nice", but they otherwise use the standard process for extensions, and aren't malware by any stretch of the imagination.

    11. Re:Impossible by Anonymous Coward · · Score: 0

      Not if they don't have the encryption keys. It's basically DRM implemented for a good cause.

    12. Re:Impossible by techno-vampire · · Score: 3, Insightful

      ...and aren't malware by any stretch of the imagination.

      I don't know about you, but personally I find it hard to believe that any extension that installs itself without notifying the user has that user's best interests at heart. Even if they're not actually malware, they're probably doing something their author doesn't want us to know about and that's enough to make sure that I, for one, would never trust them.

      --
      Good, inexpensive web hosting
    13. Re:Impossible by Johann+Lau · · Score: 1

      That still doesn't make them malware in the stricter sense (all malware is evilware, but not all evilware is malware) Certainly when talking about bypassing the browser via having the OS infected.. if you have *that*, you can do anything; sure it'd be *nicer* to have an extension that makes grabbing web passwords super simple, but you don't really *need* it; you can already monitor all traffic, take screencaps, log keys, do whatever.. so what's the point of using root to install a chrome extension?

      I honestly wonder if I have missed something, or caught a completely bullshit argument at +5... what could Chrome do about any of that, anyway? How is this move worse than any other they could have done instead? One might as well say this doesn't help in the cases where the user is forced to click "yes" at gunpoint: that would be correct, but more importantly an idiotic argument. And I kinda hate Google, fuck their browser and the fucked up "web middleman" ads for it; this is still a good move with no real downsides, so wtf.

    14. Re:Impossible by mysidia · · Score: 2

      You can't. But this will interfere with network Administrators implementing a technical policy of pre-deploying specified extensions for all users.

      The only solution I can think of right now is to ban Chrome; and only allow IE or Firefox; which will allow admin-deployed extensions.

    15. Re:Impossible by someones · · Score: 1

      we learned allready, that DRM will and CANNOT possibly work ;)

    16. Re:Impossible by Anonymous Coward · · Score: 0

      I would think that the more steps that "Evil Plugin Installer" has to take, the better. Having anti-tampering within Chrome and using key exchange can provide more of a moving target that's a bit harder to hit.

    17. Re:Impossible by KiloByte · · Score: 1

      The typical scheme on Windows is, one of ten "Ok" dialogs during installing an unrelated piece of software instead says "install Bonzi Buddy Toolbar", and you need to read them all carefully and press "cancel" instead, which most people fail to do. Or often, it's just a pre-checked check box on a long page.

      All that will change is that the question instead of "install BBT?" will be "install and enable BBT?".

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    18. Re:Impossible by KiloByte · · Score: 1

      They do have all encryption keys Chrome could possibly have -- and if they'd be stored remotely, they are in the same position wrt asking Google's servers.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    19. Re:Impossible by KiloByte · · Score: 1

      Except that your average malware toolbar does ask for permission when whatever software it is attached to is being installed. It will just helpfully save you from having to do another step, after you click "ok" to "install and enable XXX?".

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    20. Re:Impossible by jopsen · · Score: 1

      It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).

      Most of the crap toolbars people install for internet explorer are semi legitimate... They can be removed, often, you install program X it'll ask you if you wish to add toolbar Y to IE. The guys behind these toolbars pray on the fact that people forget to click, don't install this useless crap toolbar...
      Raising the bar and forcing people to make the actual choice is a good idea.

      Most of these toolbars are not removed by Anti virus, because they are perfectly legal, Yahoo toolbar is a good example.

      Granted I haven't used windows for years, but back then it was a problem with IE, I wouldn't be surprised if Google wants to avoid that situation for Chrome... After all they used to make Google toolbar for IE, which is just as bad, so they should know what they are doing...

    21. Re:Impossible by AmiMoJo · · Score: 1

      I hate it as much as you do, but just to play Devil's advocate for a moment I can at least understand why an app like Adobe Reader might install a plug-in. When a normal user installs an app they expect certain things to just work, such as double clicking on a PDF opening in the PDF reader they just downloaded. So from Adobe's point of view it makes sense to allow PDFs on the web to open natively in the browser too.

      As to why they don't ask if you want it my guess would be that they don't think users will understand the question. It is the same reason they don't ask about setting file associations and start-up programs, and is IMHO wrong.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    22. Re:Impossible by techno-vampire · · Score: 1

      I have no objection to apps installing plug-ins so that documents can be opened in the browser. What I object to is having them do it silently, without bothering to tell me. If the plug-in is part of the original installation, the fact should be listed as part of what's getting installed. If the user doesn't bother to read the list, they've got no reason later to object as long as the information's clearly there.

      --
      Good, inexpensive web hosting
  4. I'm on Chrome LightSpeed by Anonymous Coward · · Score: 1

    Chrome 299729548 is even better.

    1. Re:I'm on Chrome LightSpeed by Anonymous Coward · · Score: 1

      Colonel Sandurz: Prepare ship for light speed.
      Dark Helmet: No, no, no, light speed is too slow.
      Colonel Sandurz: Light speed, too slow?
      Dark Helmet: Yes, we're gonna have to go right to ludicrous speed.

  5. I'm not sure I understand... by Slyfox696 · · Score: 1

    I'm not sure if I fully understand the ramifications here...what exactly will this mean for my Firefox?

    1. Re:I'm not sure I understand... by Anonymous Coward · · Score: 0

      Means you have to update the version number.

      I suggest adding a 3000.

      Because that's cooler.

    2. Re:I'm not sure I understand... by rudy_wayne · · Score: 1

      Means you have to update the version number.

      I suggest adding a 3000.

      Because that's cooler.

      Actually, you've hit on a good idea. Just like Netscape Navigator skipped from version 4.7 to 6 so they could jump ahead of Internet Explorer 5, Firefox should return to that practice. The next version of Firefox should be 29. Then they will be forever cooler and more modern than Chrome.

      I'm serious.

    3. Re:I'm not sure I understand... by maxwell+demon · · Score: 1

      Actually, they could restrict version numbers to be prime numbers afterwards, then they will appear to progress much faster.
      Although ... thinking about it, they probably would soon reach primes so large that they would face export restrictions from the version number alone. :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
    4. Re:I'm not sure I understand... by Anonymous Coward · · Score: 0

      No, no, no. All versions of every application should be 11.

    5. Re:I'm not sure I understand... by someones · · Score: 1

      no. 42 or 1337

    6. Re:I'm not sure I understand... by Zontar+The+Mindless · · Score: 1

      Actually, you've hit on a good idea. Just like Netscape Navigator skipped from version 4.7 to 6 so they could jump ahead of Internet Explorer 5...

      I'm guessing you weren't around at the time, because there were in fact two versions of Netscape 5.0, which you could download and play with (and I did; and I therefore take serious issue with the implication by the Wikipedia article that no binaries were ever built/released).

      In any case, you're wrong. NS 5.0 was scrapped because they junked the the old codebase. NS 6.0/Mozilla (the latter of which eventually became Firefox) was a complete rewrite.

      --
      Il n'y a pas de Planet B.
    7. Re:I'm not sure I understand... by Anonymous Coward · · Score: 0

      NS 6.0/Mozilla (the latter of which eventually became Firefox)

      No, Mozilla became SeaMonkey. Firefox was/is a new browser based on much of the same infrastructure.

  6. That UI is getting tired. Anyone agree? by bogaboga · · Score: 1

    While I love the Google's Chrome browser, it is my opinion that its UI is getting tired. Anyone agree? A refresh wouldn't do any harm at this point. Would it?

    1. Re:That UI is getting tired. Anyone agree? by Anonymous Coward · · Score: 3, Insightful

      Have you learnt nothing?

    2. Re:That UI is getting tired. Anyone agree? by Seumas · · Score: 1

      To be frank, I don't know what other UI you could implement. It's a web browser. It has some tabs and some forward and back buttons and a giant viewport.

    3. Re:That UI is getting tired. Anyone agree? by Nimey · · Score: 2

      No. I'm not wild about the three-bar option button, but the rest is OK.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
    4. Re:That UI is getting tired. Anyone agree? by Anonymous Coward · · Score: 0

      I wish they would just stop incompetently rolling their own UI. When you've got no taste you shouldn't be designing UIs in the first place, and moreover if the user has changed the system colours or installed a different theme it's crass not to use it.
      (Yes, I'm aware you can install custom theme's in Chrome. But they're really limited, for example the window buttons in the top-right will always look like crap, as will many other things in the browser. Default behaviour should be to draw everything using the system theme.)

    5. Re:That UI is getting tired. Anyone agree? by shutdown+-p+now · · Score: 1

      NO.

      If you want constant UI refreshes, there's Firefox. Please don't mess up the only remaining sane browser.

  7. Trolls are everywhere!!! by Anonymous Coward · · Score: 4, Insightful

    Someone needs to get a handle on these trolls on this site or I'm calling the POLICE!!!!!

    I think malda himself might be trolling and I'm SICK OF IT!!!

    1. Re:Trolls are everywhere!!! by Anonymous Coward · · Score: 0

      And you don't think Malda -wasn't- trolling the site when he was in charge? What the fuck do you think people like Jon Katz and michael were doing here? To piss you off and keep you visiting so that he'd collect more ad revenue. Then he came up with the brilliant idea of making the articles themselves advertisements, though veiled ones...after a while he gave up on trying to hide it and a lot of the posts here were just out and out spam for X company of the week.

      You might be sick of it to the point of holding down a key on your keyboard for an extended period of time!!!!!, EVEN USING CAPS!!!!, but the fact is this place wouldn't be around if it weren't for the trolls. They're what keep this joke of a site running, that and the people stupid enough to respond to them. There's no positive discussion here any more, there's no creativity or sense of community, there's just trolls and the people who take the bait. If you want anything more than that Slashdot really isn't the place you ought to be visiting.

  8. Adware? by Anonymous Coward · · Score: 0

    Will this block auto installing adware such as Babylon and MyWebSearch?
    Those infest almost every computer out in the open, installed with Firefox or Chrome.
    People tend to click on DownloadLinks which are carefully crafted to look like legitimate downloads for the things they were looking for in the first place.

    1. Re:Adware? by Todd+Knarr · · Score: 4, Interesting

      It should. The add-ons can be dumped into the folders, but the browser will leave them disabled and non-functioning until you manually enable them. At least until the adware makers start figuring out how to dig into the internals of the browser config files and modify things directly to convince the browser the add-ons have already been enabled. That's doable but not simple, so I expect it'll take a while for that to become common. And there's simple methods the browser can use to make that modification even more difficult, eg. tagging each enabled extension with an encrypted hash of the extension's file so that the adware would have to find the browser's encryption key before it could successfully modify the configuration.

      Note that none of these will do anything about add-ons that convince the user to manually install them.

  9. You can always by Anonymous Coward · · Score: 0

    unplug the speakers

  10. Chrome has versions? by Anonymous Coward · · Score: 0

    I mean, I know Chrome is the reason that Mozilla went all crazy with their version numbering. But I gotta say, I've never once noticed just what version I'm running at any given time. And given the... unique design compared to classic browsers, I don't even know how I'd check.

    1. Re:Chrome has versions? by thaylin · · Score: 1

      "Customize and control Google Chrome" in the top right, the icon with the 3 bold lines, right below the Close X Then chose "about Google Chrome" It is basically the same as with any browser.

      --
      When you cant win, ad hominem.
  11. Version 25? by rolfwind · · Score: 1

    What the hell. Since 2008?

    Who the hell does their versioning? That's just pathetic.

    1. Re:Version 25? by Anonymous Coward · · Score: 0

      Does version 1.25 sound nicer? The version 1 dot does not add anything to this.

    2. Re:Version 25? by someones · · Score: 1

      i am still in for versionschemes like this: yyyymmdd.hhmm-optionaltext/branch/whatever

    3. Re:Version 25? by boarder8925 · · Score: 1

      I agree. They should adopt Android's naming scheme for Chrome. If they had to come up with a stupid moniker for a release every two months, I think they'd at least consider slowing their cycle.

      --
      Keep your eyes to the sky.
    4. Re:Version 25? by Anonymous Coward · · Score: 1

      Fortunately, it's just you.

    5. Re:Version 25? by Anonymous Coward · · Score: 0

      Parent must be modded Insightful by now by all the muppets who keep repeating this non-issue (IT IS A NUMBER, if you feel it is a fucking issue, divide it by 10) when it concerns Firefox.

  12. why the fuck.... by Anonymous Coward · · Score: 0

    were silent installs allowed in the first place?

  13. Anger issues. by Anonymous Coward · · Score: 0

    Anger issues? C'est vrai! Semms obvious to me. I think the tongue thrust out ( like so :>p ) and the fucking this and fucking that pretty much can be interpreted that way. Maybe the training isn't going well?

  14. Sounds like Productivity death for Chrome. by Anonymous Coward · · Score: 0

    But what else isn't totally is going to crap these days? Hey I know I have this ten year, debugged, seasoned operating system working flawlessly and controlling 100 million dollars a year. Let's format that bitch and put windows 8 on, after all it's only $14.95. Who cares about 100 million a year....
    Click to download "Crippled Chrome (El Diablo Snuf) for WIN (20MB installer) , MAC (34 MB sit file) , LINUX (10 MB tar.gz)
    Here's my predicted Future for Chrome.

    the SETTINGS in Chrome.
    Settings | Extensions | Delete All Extensions
    or about:extensions

    Settings | Advanced | Randomly Delete and Turn on/off Extensions

    the Chrome Nightly Devs
    Settings | Advanced | Uninstall Chrome
    or just about:uninstall

    Hey I know, if I FIREWALL CHROME off from the web, it can't get updates!!
    PERFECT!! Actually better yet, remove the possibility of using Extensions at all. e.g. No Extensions to begin with Close the source code and kiosk it so only people drooling will use it

  15. Re: Comodo Dragon by girlinatrainingbra · · Score: 1

    Thanks for the advice and the info about Comodo Dragon. I had not heard of it before your post. I may install it and give it a spin...
    .
    The wikipedia page on it ( http://en.wikipedia.org/wiki/Comodo_dragon ) has more info about chromium vs. comodo though the last two items look like they were respun by someone who prefers google chromium, while comodo's page ( http://forums.comodo.com/help-cd/how-is-dragon-better-t67998.0.html ) points out that google keeps track of the time it was installed (the better to track/identify you with?) and spins the usage of comodo's dns servers as a positive (hmmm....) rather than pointing out that the tracking aspects are just being transferred from google to the comodo group. Wikipedia page about Comodo has some interesting information about ( at http://en.wikipedia.org/wiki/Comodo_Group#2010_Affiliate_Registration_Security_Breach ) a couple of problems with SSL certificate verification.

  16. Re: Comodo Dragon by hairyfeet · · Score: 1

    There is one MAJOR difference between Chrome and Dragon when it comes to Dragon and it is this: If you don't want to use Comodo Secure DNS? It asks you on install, simply say "no" and that is that. You can also switch it on and off at will in the options whereas last I checked there is NO easy way to just switch off the phone home in Chrome.

    Now that said in the end you have to trust somebody somewhere to give you DNS, unless you are gonna run your own DNS server and not only is the Comodo Secure DNS pretty dang fast but I've seen plenty of times where it has stopped a page from loading because it had been infected with malware. Sure enough I would fire up a test box at the shop and let the page load and it was malware city.

    But at the end of the day you can use as much or as little of Comodo's services that you want, its all easily switchable in seconds, and it fixes the two problems you were complaining about with FF while giving you some nice extras you can take or leave. If you prefer the Gecko engine they even have their own spin on FF called Comodo IceDragon. Its nice and has similar security features but it still uses more CPU and memory than Dragon proper.

    At the end of the day I'm just a little shop guy that tripped over Comodo AV one day when AVG wasn't cutting the mustard and decided to see if they had more free stuff and found they had a ton and most of it was really good. Give it a spin, if you don't care for it just toss it in the recycle bin, no muss and no fuss. Oh and if you have to deal with infected boxes like I do might want to check out Comodo Cleaning Essentials, its free, gets rid of more nasties than malwarebytes IMHO, and also runs great on a stick, its a great tool to add to your toolbox.

    Frankly the only real complaint I have about any of the Comodo stuff is they no longer support Comodo Time Machine, if you can find a copy it still works great on anything up to Windows 7 (as long as you don't have a dual boot, it won't screw anything up, just won't install on a dual boot) but they quit supporting it. Frankly if you deal with virus prone people its like a gift from the Gods, it lets you set up a hidden partition with daily snapshots (you can even lock a snapshot so you can have your very own OEM hidden partition, with all the drivers and software preloaded) so if they fuck it up beyond even booting you can tell them just push the home key on boot and in 20 minutes they are back up like nothing happened. great tool, damned shame they don't support it any longer as I haven't found anything that will let you make your own hidden OEM partition like that easily.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  17. Will they also stop installing into Firefox? by aitan · · Score: 0

    I will not trust in Chrome until they stop adding their plugin into Firefox.

    If they care so much about what's run inside Chrome, why do they inject their Google Updater into Firefox and put their update code in a bazillion places?

    Yes, they say that it's mean to always have the latest version available, but if I'm not using it daily, why should I waste CPU cicles and bandwith trying to upgrade it until I use it?

    I have Chrome installed only because I need to use it for testing, but I strongly dislike its UI and its behavior, I just wish that it would be a normal program that only tries to update itself when I run it.

  18. Re:I'm done with Chrome. by Omestes · · Score: 1

    I think we've entered the happy period of time when all three major browsers are pretty much equal, and users can pick which on they want to use based purely on aesthetics and functionality.

    IE10 is pretty competent, I just can't stand its UI, and I have a historical bias against it. I also worry that MS with withhold updates from people who don't buy their newest OS at some point.

    Firefox is okay. It feels a bit clunky to me, but that probably is subjective. I don't really trust Mozilla's development cycle anymore, though. They like to change things for the sake of changing things, and like to add new crap that I'll never use to often. Good browser still, just not to my tastes.

    Chrome is also okay. It can be wonky, and often its stability is a bit off. 99% of the time it works fine, and then it drops a page for no reason. It also loves RAM, a lot. Not a big deal on modern systems, but still something to consider. Good also has some odd practices, dropping and adding features for arbitrary feeling reasons. If your on anything but the release channel, Google can feel a bit capricious. This is my browser of choice, but mostly out of habit, and its Android integration. I used to be a Firefox (Firebird, Phoenix) fanboy, but Moz has moved in directions I didn't like, so I moved on.

    As for the others:

    Opera, its fine. It works. But no one cares.

    Safari, it also works. But the Apple's dev and updating strikes me as a bit dubious, and not at all user-transparent. I also don't trust them to support, or upgrade across OS increments, just like MS, but worse. I also don't like how Safari works or functions. This doesn't mean its bad, it just means I don't like it.

    Comodo, I don't trust them. Probably a good Chromium port, but I don't know enough to actually trust them.

    --
    A patriot must always be ready to defend his country against his government. -edward abbey
  19. Limiting user choice. by xyourfacekillerx · · Score: 1

    So when Microsoft decided to enable do not track me by default, everyone says "you're preventing users from making the choice of being tracked!" The comments here were ridiculous. but Google decides to disable silent extensions and no one is throwing a tantrum about how they're preventing users from making that choice. What gives, people?

  20. Dragon removed Privalert by xenoc_1 · · Score: 1

    Privalert lasted all of about a week. They pulled it for "stability" reasons with an auto-update. https://forums.comodo.com/news-announcements-feedback-cd/23400-update-removes-privalert-t89212.0.html

    I suspect the real reason they pulled it was that many people pointed out it was exactly the same as Ghostery but without Ghostery being given any credit. Exact same process flow, exact same number of items in the blocklist, despite their CEO claiming on their forum that it was entirely their own code and entirely their own list. The only differences were the icon and a few less preference settings, but the ones that were there were identical. https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-ver-232-is-now-available-for-download-t89032.30.html

    I like a lot of Comodo stuff, I use a lot of it, I have Comodo Internet Security running right now, System Utilities (new name for Comodo System Cleaner), and I do have Dragon installed. But they have a massive and unsophisticated hype machine over there, complete with fanboy moderators who will "put you on our radar" if you dare to post anything other than a 100% rave about Comodo and buy whatever spin that Melih is selling. Ever since they pushed a forced-branding of Dragon about 6 or 7 releases back, I have lost a lot of trust in Comodo. They disabled theme changes somewhere around 16 or 17, put it back after an uproar, then for 2 versions disabled being able to use the New Tab Page - even if set, you opened up to comodo.com as your homepage instead of the non-web Chromium-Chrome style New Tab page. In both cases on the forum Melih made claims it shouldt have happened and would change.

    I am not saying that they are lying about the source of the Privalert extension they pushed out. But it is amazingly similar. I am not saying they pushed the forced branding on purpose. But that means if it was an accident, one might suppose that they have bad QA, and if it were deliberate but not approved at the top, one might suppose that they have a flawed software quality process.

    Note that I said: "one might suppose" and I specifically denied the interpretation that "they are lying" so if you are a lawyer for Comodo, I didn't accuse your client of anything. I commented on how non-Comodo people might possibly perceive things which may or may not be true with no way for me to tell.

    I continue to use some Comodo products. But until I see more transparency about these seemingly-sketchy issues, I am reluctant to resume recommending them. Something I used to do wholeheartedly.

  21. 2012... And still auto install crap. by Anonymous Coward · · Score: 0

    Really. It's now 2012 and there's still software that allows automatic installation of stuff from the internet.

    Fucking computer programmers are incompetent assholes. If cars were designed and engineered as poorly as this then the automakers would be sued out of existence and we'd still be riding around on horses.

    The coders responsible for this utter shit are fucking retards that haven't learn jack shit from history and shouldn't be allowedanywhere near a computer. Let alone allowed to releae their shit onto the general public..

  22. User choice by Anonymous Coward · · Score: 0

    I know I make good choices about what to download and you think you do too, but non-tech users make really weird decisions - they ask me about what I think are the most obvious things (advanced system care want to update should I let it? - yeah, like I told you ten times already, I installed asc to take care of your system) then find they agreed to stuff installing without checking, like when it reported their computer full of viruses; another time a box popped up in their browser from microsoft asking for their bank account details to reset their password, so because it was microsoft they sent it all off god knows where. I explain using a computer with no technical knowledge is like driving a car without knowing how to drive - it can be ok, but it's usually worth learning how to drive to save on accidents. No matter how many times i say what is safe and what isn't they continue to behave like they discovered the internet yesterday. no wonder some companies go for the silent install. I don't like it (I hate it - it's my machine and I decide what happens to it) but i can understand why some companies give up explaining to the general user and just do it